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including  suggestions  for  reducing  this  burden,  to  Washington  Headquarters  Services,  Directorate  for  Information  Operations  and  Reports,  1215  Jefferson  Davis  Highway,  Suite  1204,  Arlington 

VA  22202-4302.  Respondents  should  be  aware  that  notwithstanding  any  other  provision  of  law,  no  person  shall  be  subject  to  a  penalty  for  failing  to  comply  with  a  collection  of  information  if  it 
does  not  display  a  currently  valid  OMB  control  number. 

1.  REPORT  DATE 

2004 

2.  REPORT  TYPE 

3.  DATES  COVERED 

4.  TITLE  AND  SUBTITLE 

5a.  CONTRACT  NUMBER 

Detection  and  Prevention  of  MAC  Layer  Misbehavior  for  Ad  Hoc 

5b.  GRANT  NUMBER 

nClWUl 

5c.  PROGRAM  ELEMENT  NUMBER 

6.  AUTHOR(S) 

5d.  PROJECT  NUMBER 

5e.  TASK  NUMBER 

5f.  WORK  UNIT  NUMBER 

7.  PERFORMING  ORGANIZATION  NAME(S)  AND  ADDRESS(ES) 

Army  Research  Office, PO  Box  12211, Research  Triangle  Park, NC, 27709 

8.  PERFORMING  ORGANIZATION 

REPORT  NUMBER 

9.  SPONSORING/MONITORING  AGENCY  NAME(S)  AND  ADDRESS(ES) 

10.  SPONSOR/MONITOR'S  ACRONYM(S) 

11.  SPONSOR/MONITOR'S  REPORT 
NUMBER(S) 

12.  DISTRIBUTION/AVAILABILITY  STATEMENT 

Approved  for  public  release;  distribution  unlimited 

13.  SUPPLEMENTARY  NOTES 

The  original  document  contains  color  images. 

14.  ABSTRACT 

see  report 

15.  SUBJECT  TERMS 

16.  SECURITY  CLASSIFICATION  OF: 

17.  LIMITATION  OF 

ABSTRACT 

18.  NUMBER 

OF  PAGES 

17 

19a.  NAME  OF 

RESPONSIBLE  PERSON 

a.  REPORT 

unclassified 

b.  ABSTRACT 

unclassified 

c.  THIS  PAGE 

unclassified 

Standard  Form  298  (Rev.  8-98) 

Prescribed  by  ANSI  Std  Z39-18 


Detection  and  Prevention  of  MAC  Layer  Misbehavior 

for  Ad  Hoc  Networks 


Alvaro  A.  Cardenas,  Svetlana  Radosavac  and  John  S.  Baras 

Electrical  and  Computer  Engineering  Department 
and  the  Institute  for  Systems  Research 
University  of  Maryland  College  Park 

{acardena, svetlana, baras}@isr .umd. edu 


Abstract  It  is  known  that  802.11  is  not  resilient  to  selfish  behavior  and  denial  of 
service  (DoS)  attacks  targeting  the  MAC  layer.  In  this  study,  we  assess  the  per¬ 
formance  of  the  CSMA/CA  scheme  and  investigate  its  efficiency  with  regard  to 
security  and  information  assurance  in  mobile  ad  hoc  wireless  networks.  We  inves¬ 
tigate  several  variants  of  selfish  node  behaviors  that  abuse  the  random  choice  of 
Contention  Window  in  the  802.11  DCF  MAC  protocol.  We  show  that  selfish  be¬ 
havior  in  the  MAC  layer  can  have  devastating  side  effects  on  the  performance  of 
wireless  networks,  similar  to  the  effect  of  DoS  attacks.  Our  main  contributions  are 
the  prevention  and  detection  of  backoff  manipulation  in  an  ad  hoc  network.  First, 
we  propose  an  algorithm  to  prevent  backoff  manipulation  in  a  communication  link 
between  a  sender  and  a  receiver  when  at  least  one  of  the  nodes  behaves  honestly. 
Secondly  we  introduce  algorithms  for  detection  of  backoff  manipulation  by  a  pair 
of  colluding  nodes. 


1  Introduction 

The  communication  protocols  of  different  layers  of  an  ad  hoc  network  such  as  the  medium  ac¬ 
cess  control  (MAC)  protocol,  the  routing  protocol  and  the  transport  protocol,  were  designed  under 
the  assumption  that  all  nodes  will  obey  the  specification.  However  when  this  protocols  are  imple¬ 
mented  in  an  untrusted  environment,  nodes  can  misbehave  to  obtain  a  given  goal.  A  selfish  user  for 
example  can  change  the  congestion  avoidance  parameters  of  TCP,  mainly  increase  the  slope  of  the 
congestion  window  linear  growth  and  decrease  the  congestion  threshold  multiplicative  reduction, 
in  order  to  obtain  unfair  advantage  over  the  rest  of  the  nodes  in  the  network  [1],  A  selfish  user  can 
also  disobey  the  rules  to  access  the  wireless  channel  in  order  to  obtain  a  higher  throughput  than  the 
other  nodes.  In  limited  power  devices,  certain  nodes  might  refuse  to  forward  packets  in  behalf  of 
other  sources.  Misbehaving  in  the  network  protocols  will  degrade  the  performance  of  the  network 
as  experienced  by  the  honest  participants.  To  fully  address  this  problem  a  layered  security  mecha¬ 
nism  should  be  deployed  in  order  to  penalize  or  force  to  cooperate  misbehaving  nodes  that  degrade 
the  performance  seen  by  honest  participants.  In  this  paper  our  goal  is  to  protect  the  IEEE  802.11 
MAC  layer  from  unfairness  and  collisions  of  packets  caused  by  selfish  users  in  ad  hoc  networks. 

The  MAC  layer  in  a  communications  network  manages  a  multiaccess  link  (e.g.  a  wireless 
link)  so  that  frames  can  be  sent  by  each  node  without  constant  interference  from  other  nodes. 
MAC  layer  misbehavior  is  possible  in  network  access  cards  that  run  the  MAC  protocol  in  software 
rather  than  hardware  or  firmware  allowing  a  selfish  user  or  attacker  to  easily  change  MAC  layer 
parameters.  Even  network  interface  cards  implementing  most  MAC  layer  functions  in  hardware 
and  firmware  usually  provide  expanded  set  of  functionalities  which  can  be  exploited  to  circumvent 


the  limitations  imposed  by  the  firmware  [2].  In  the  worst  case  scenario  a  vendor  might  create  NIC 
cards  violating  the  MAC  protocol  to  create  an  improve  performance  of  its  products. 

The  IEEE  802.11  Medium  Access  Control  (MAC)  protocol  uses  a  distributed  contention  res¬ 
olution  mechanism  for  sharing  the  wireless  channel  and  its  design  tries  to  ensure  a  relatively  fair 
access  to  the  medium  for  all  participants  of  the  protocol.  The  MAC  layer  has  mechanisms  to  pro¬ 
tect  itself  from  congestions,  but  these  mechanisms  can  be  abused  by  attackers  and  used  to  disrupt 
communication  in  the  MAC  layer.  In  802.11  the  nodes  follow  binary  exponential  backoff  scheme 
that  favors  the  last  winner  amongst  the  competing  nodes.  Even  when  all  contending  nodes  are  well 
behaved  this  mechanism  can  lead  to  the  capture  effect  where  nodes  that  are  heavily  loaded  tend 
to  capture  the  channel  by  continuously  transmitting  data  which  makes  lightly  loaded  neighbors 
to  back  off  continuously.  Very  similar  effects  are  obtained  when  one  of  the  contending  nodes  is 
selfish. 

A  selfish  user  keeps  the  channel  busy  in  order  to  maximize  its  own  throughput.  As  a  side 
effect  of  this  behavior,  regular  nodes  cannot  use  the  channel  for  transmissions,  which  leads  to  a 
denial  of  service  (DoS)  attack  [15].  Due  to  the  randomness  introduced  in  the  choice  of  the  backoff, 
it  is  difficult  to  detect  when  a  selfish  user  has  chosen  small  values  of  the  backoff  by  chance  or 
not.  Selecting  small  backoff  values  gives  him  an  advantage  over  the  other  contending  nodes  that 
uniformly  choose  the  backoff  time. 

A  selfish  node  can  cause  congestion  in  the  network  as  a  side  effect  of  maximizing  its  through¬ 
put.  It  can  generate  an  excessive  amount  of  traffic  [6,  15]  or  specific  traffic  patterns  that  prevent 
certain  nodes  from  accessing  the  medium  and,  therefore,  maximizing  its  throughput. 

In  this  work  we  investigate  selfish  behavior  achieved  by  manipulating  the  backoff  mechanism 
of  IEEE  802.1 1  MAC  protocol.  However,  a  selfish  user  can  implement  a  whole  range  of  strategies 
to  maximize  its  access  to  the  medium.  The  most  likely  strategy  that  an  intelligent  selfish  user  will 
employ  is  to  use  different  schemes  of  manipulating  the  rules  of  the  MAC  layer.  The  attacker  can 
manipulate  the  size  of  the  Network  Allocation  Vector  (NAV)  and  assign  large  idle  time  periods  to 
its  neighbors,  it  can  decrease  the  size  of  Interframe  Spaces  (both  SIFS  and  DIFS)  etc.  A  successful 
detection  scheme  should  take  into  account  all  possible  cheating  schemes  in  the  MAC  layer  and 
detect  both  users  that  employ  only  one  scheme  and  users  that  employ  a  combination  of  several 
schemes  (i.e.  first  choosing  small  backoff  values,  then  assigning  large  NAV  values  to  its  neighbors 
etc.) 

In  Section  4  we  attempt  to  solve  the  problem  of  misbehavior  by  preventing  cheating  in  the 
backoff  stage  of  IEEE  802.11  for  non-colluding  nodes.  In  Section  5  we  solve  the  problem  of  de¬ 
tecting  misbehavior  of  colluding  nodes.  Both  of  the  protocols  can  be  extended  for  any  probabilistic 
distributed  protocol  to  access  the  channel. 


2  Related  Work 

Selfish  misbehavior  at  the  MAC  layer  has  been  addressed  mostly  from  a  game  theoretic  perspec¬ 
tive.  The  goal  in  a  game  theoretic  setting  is  to  design  distributed  protocols  that  guarantee  the 
existence,  uniqueness  and  convergence  to  a  Nash  equilibrium.  As  we  have  previously  pointed  out, 
if  users  try  to  maximize  their  throughput,  every  node  will  attempt  to  transmit  continuously  in  such 
way  that  users  will  deny  access  to  any  other  node  and  the  network  would  collapse.  This  network 
collapse  due  to  aggressive  selfish  behavior  is  a  Nash  equilibrium.  In  order  to  obtain  a  different 
Nash  equilibrium,  a  cost  for  every  node  for  each  time  it  access  the  channel  has  to  be  included.  For 
example  in  [1 1,  8],  the  selfish  users  in  Aloha  attempt  to  maximize  their  throughput  minus  a  cost  for 


accessing  the  channel  (e.g.  energy  consumption).  Another  game  theoretic  scheme  for  CSMA/CA 
schemes  is  presented  in  [12].  It  shows  how  a  Nash  equilibrium  is  achieved  against  selfish  users 
when  the  cost  for  accessing  the  channel  repeatedly  is  being  jammed  by  another  node.  A  node 
jams  anonymously  any  other  node  that  achieves  higher  output  than  the  average  of  everyone  else 
(assuming  nodes  always  have  data  to  transmit,  the  throughput  of  every  node  should  be  fair).  They 
assume  all  nodes  are  within  wireless  range  to  avoid  the  hidden  terminal  problem,  so  this  scheme 
is  mostly  intended  for  wireless  LANs.  Game  theoretic  protocols  assume  all  nodes  are  selfish  (the 
worst  case  scenario)  and  therefore  the  throughput  achieved  by  honest  nodes  in  these  protocols  is 
substantially  less  than  in  protocols  where  the  honest  majority  cooperates. 

Detection  of  misbehavior  at  the  MAC  layer  has  received  little  attention  in  the  literature.  Several 
possible  schemes  of  node  misbehavior  in  802.1 1  for  achieving  a  higher  throughput  are  presented  in 
[13].  The  detection  of  such  misbehavior  is  achieved  through  a  system  called  DOMINO.  However, 
their  detection  scheme  for  backoff  manipulation,  based  on  comparing  average  values  of  the  backoff 
to  given  thresholds  is  suboptimal  for  every  strategy  of  the  greedy  user.  In  this  paper  we  propose  a 
new  detection  schemes  for  the  backoff  manipulation  that  we  believe  will  improve  the  performance 
of  systems  such  as  DOMINO. 

Kyasanur  and  Vaidya  [10]  propose  a  modification  to  802.11  for  facilitating  the  detection  of 
misbehaving  nodes.  The  receiver  (a  trusted  host  -e.g.  base  station-)  assigns  the  backoff  value  to 
be  used  by  the  sender,  so  the  former  can  detect  any  misbehavior  of  the  latter  and  penalize  it  by 
increasing  the  backoff  values  for  the  next  transmission. 

The  protocol  consists  of  three  parts: 

•  Detection:  The  sender  deviates  from  the  protocol  if  the  observed  number  of  idle  slot  Bact 
is  smaller  than  a  specified  fraction  a  of  the  assigned  backoff  Bexp.  To  alleviate  for  false 
positives  in  the  presence  of  a  hidden  terminal,  the  sender  will  count  only  as  busy  time  slots 
those  slots  not  reserved  by  other  nodes  with  a  RTS/CTS. 

•  Penalty:  Assign  a  penalty  with  a  measure  of  deviation  D  =  mAx(a.Bexp  —  Bact .  0). 

•  Diagnosis  Scheme:  If  the  sender  deviates  repeatedly,  i.e.  if  the  sum  of  misbehavior  in  a 
sliding  window  is  bigger  than  some  threshold,  then  the  sender  is  labeled  as  misbehaving  and 
the  receiver  takes  drastic  measures,  e.g.  drop  all  packets  by  the  sender. 

The  problem  of  applying  this  protocol  for  ad  hoc  networks  is  that  the  receiver  might  not  be  trusted. 
In  this  paper  we  extend  the  idea  of  [10]  by  presenting  an  algorithm  that  ensures  a  honest  backoff 
selection  among  the  sender  and  a  receiver  as  long  as  one  of  the  participants  is  honest. 

All  the  schemes  presented  above  as  well  as  the  ones  we  propose,  require  the  proper  use  of 
MAC  layer  authentication  schemes  providing  uniquely  verifiable  identities  in  order  to  prevent  im¬ 
personation  and  Sybil  attacks  [7]. 

We  also  assume  that  there  is  a  reputation  management  system  similar  to  CONFIDANT  [5,  4], 
where  nodes  can  monitor  and  distribute  reputation  values  about  other  nodes  behavior  at  the  MAC 
layer  (CONFIDANT  however  focuses  in  reputation  at  the  routing  layer). 


3  IEEE  802.11  DCF 

The  distributed  coordinating  function  (DCF)  of  802.11  specifies  the  use  of  CSMA/CA  to  reduce 
packet  collisions  in  the  network.  A  node  with  a  packet  to  transmit  picks  a  random  backoff  value  b 
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Figure  1:  Nodes  A  and  C  contend  for  accessing  node  B.  The  first  time  A  reserves  the  channel,  and 
in  the  second  time  C  accesses  the  channel. 

chosen  uniformly  from  the  set  {0,1,...  ,CW  —  1}  ( CW  is  the  contention  window  size),  and  trans¬ 
mits  after  waiting  for  b  idle  slots.  Nodes  exchange  RTS  and  CTS  packets  to  reserve  the  channel 
before  transmission.  Both  the  RTS  and  the  CTS  contain  the  proposed  duration  of  data  transmis¬ 
sion:  the  duration  field  indicates  the  amount  of  time  (in  microseconds)  after  the  end  of  the  present 
frame  that  the  channel  will  be  utilized  to  complete  the  successful  transmission  of  the  data  or  man¬ 
agement  frame.  Other  hosts  which  overhear  either  the  RTS  or  the  CTS  are  required  to  adjust  their 
network  allocation  vector  (NAV),  which  indicates  for  how  long  should  the  node  defer  transmis¬ 
sions  on  the  channel,  which  includes  the  SIFS  interval  and  the  acknowledgment  frame  following 
the  transmitted  data  frame.  If  a  transmission  is  unsuccessful  (by  the  lack  of  CTS  or  the  ACK  for 
the  data  sent),  the  CW  value  is  doubled.  If  the  transmission  is  successful  the  host  resets  its  CW  to 
a  minimum  value  CWmin. 

The  following  diagram  depicts  the  handshake  mechanism  used  in  802. 1 1  DCF 
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Figure  1  shows  an  example  of  contending  nodes  using  the  protocol. 

The  timers  are  selected  based  on  which  physical  layer  802.11  is  using.  For  example  table 
1  shows  the  parameters  used  when  the  physical  layer  is  using  direct  sequence  spread  spectrum 
(DSSS)  (timeouts  are  not  defined  in  the  IEEE  802.11  standard,  but  are  usually  set  to  the  values 
given  in  the  table). 

The  exchange  of  RT S / CT S  control  frames  is  an  optional  feature  of  802. 1 1 .  The  primary  reason 
for  enabling  this  functionality  is  if  you  expect  frequent  collisions  or  retransmissions  due  to  hidden 
nodes.  If  RT S/CT S  is  not  enabled  then  for  any  data  packet  transmitted  only  two  frames  are  needed: 
DATA/ ACK.  Since  hidden  nodes  are  common  in  ad  hoc  networks,  we  assume  the  exchange  of 
RTS /CTS  is  active. 

Cheating  in  the  802.11  protocol  can  be  done  in  many  places,  for  example  by  setting  large 
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Table  1:  Parameters  for  DSSS 

NAV  values  for  other  contending  nodes,  by  deauthenticating  neighboring  nodes,  or  by  violating 
the  backoff  mechanism.  However  most  of  the  cheating  is  fairly  easy  to  detect  or  defend  except  for 
backoff  manipulation  [13,  2].  In  this  paper  we  propose  in  section  4  a  technique  for  ensuring  honest 
backoffs  when  there  is  at  most  one  cheating  node  and  in  section  5  we  consider  detection  tests  when 
there  are  colluding  nodes  in  the  network. 


4  ERA:  Ensuring  Randomness  for  802.11 

One  of  the  main  assumptions  used  in  the  scheme  proposed  in  [10]  is  that  the  receiver  has  to  be 
trusted.  This  assumption  is  well  suited  for  infrastructure -based  wireless  networks,  where  the  base 
station  can  be  trusted.  However,  in  the  case  of  ad  hoc  networks  the  receiver  can  misbehave  by 
selectively  assigning  the  backoff  values  to  different  senders.  For  example,  the  receiver  can  be 
expecting  data  from  a  particular  sender  and  thus  assign  small  backoff  values  to  it,  degrading  the 
performance  of  the  other  neighboring  senders.  The  receiver  can  also  assign  large  backoff  values 
to  some  neighbors  and  deny  them  access  to  the  network.  Furthermore,  if  there  are  two  pairs 
of  receivers  and  senders  in  the  same  range,  a  malicious  receiver  can  overhear  the  backoff  value 
assigned  by  the  other  receiver  to  the  first  sender,  and  then  unilaterally  select  a  random  backoff  for 
the  second  sender  such  that  it  will  cause  a  collision  between  the  two  senders.  This  scenario  can  be 
seen  in  figure  2. 

In  this  section  we  propose  an  extension  to  the  802.11  CSMA/CA  protocol  that  will  ensure  a 
uniformly  distributed  random  backoff,  in  the  case  that  at  least  one  of  the  parties  is  honest.  The 
basic  idea  follows  the  protocol  for  flipping  coins  over  the  telephone  by  Blum  [3]. 

The  protocol  can  be  embedded  in  802.11  to  be  used  every  time  a  new  reservation  of  the  chan¬ 
nel  takes  place.  The  messages  are  appended  (denoted  by  a  double  bar  ||)  to  the  normal  message 
exchange  of  802.11: 


Figure  2:  Node  C  transmits  to  A  and  node  B  wants  to  transmit  to  D.  After  hearing  the  backoff 
assigned  by  A  to  C,  node  D  will  assign  a  backoff  to  node  B  such  that  it  will  collide  with  C. 
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We  now  explain  the  protocol  step  by  step. 

1 .  In  the  first  step  the  sender  S  selects  a  nonce:  a  number  n  selected  uniformly  randomly  from 
the  set  {0, 1, . .  .,2knonce},  denoted  as  n  {0, 1  }*"once.  knonce  is  a  security  parameter  selected 
so  that  it  is  difficult  for  R  to  guess  the  nonce,  for  example  knonce  —  64.  This  step  is  optional 
and  is  done  in  order  to  prevent  an  offline  attack  to  the  commitment  scheme. 

2.  In  the  second  step  the  receiver  R  selects  a  random  backoff  r  from  the  set  {0, 1 , ... ,  CWmjn  —  1 } 

and  commits  to  it.  In  binary  notation  r  is  a  random  bit  string  of  length  m  (r  =  •  •  •  rm), 

where  m  —  log2  CWmm  (note  that  the  minimum  contention  window  size  CWmjn  is  always  a 
power  of  two).  The  commitment  scheme  Commit  is  such  that  the  following  two  properties 
are  satisfied:  (in  a  reasonable  amount  of  time-  time  outs  in  802.11  for  reserving  the  channel 
are  between  300 /us  to  350/js): 

Binding:  After  sending  Commit(r|  |n),  the  receiver  cannot  open  the  commitment  to  a  differ¬ 
ent  value  f^r  (except  with  negligible  probability).  This  protects  against  a  dishonest  R 
that  might  try  to  change  the  committed  value  depending  on  the  r'  received  by  S. 


Hiding:  Given  Commit(r|  |n),  S  cannot  extract  any  information  about  r  that  will  enable  it  to 
distinguish  r  from  any  other  bit  string  of  length  m  (except  with  negligible  probability). 
This  protects  against  a  dishonest  S  that  will  try  to  tailor  r'  based  on  its  guess  of  r. 

3.  After  receiving  the  Commitment  a,  S  selects  a  random  value  r'  —  r[  r'2  ■  ■  ■  r'm  from  (0, 1 , . . . ,  CWmin 
1}. 

4.  Finally  R  opens  its  commitment  to  S.  Opening  a  commitment  is  an  operation  that  reveals 
to  S  the  committed  value  r,  plus  some  information  so  that  the  other  party  can  confirm  that 
the  value  revealed  is  indeed  the  value  that  was  committed.  If  the  value  opened  by  the  R  is 
correct,  then  the  sender  and  the  receiver,  compute  the  backoff  b  =  b\b2-  •  ■  bm  as  the  xor  of 
the  bits:  bj  —  ri  (D  r'r  If  it  is  not,  then  the  sender  can  report  a  misbehavior  to  the  reputation 
management  system  we  assumed. 

Several  commitment  schemes  are  known  under  very  different  computational  assumptions.  Very 
efficient  commitment  schemes  in  terms  of  computation  and  communication,  can  be  implemented 
under  the  random  oracle  model.  In  this  setting  it  is  a  standard  practice  to  assume  that  hash  func¬ 
tions  H  such  as  SHA-1  or  MD5  are  random  oracles.  Under  this  assumption  it  is  easy  to  see  that 
the  following  commitment  scheme  satisfies  the  binding  (by  assuming  H  to  be  collision  resistant) 
and  hiding  properties  (by  assuming  H  is  a  random  oracle)  required: 


Commit(r|  |n) 


/<-{o,i}* 

Output  =  H  (i  1 1  r|  |  n) 


Open  ( H  ( i  1 1  r  1 1  n)) 

Output  =  (i,  r) 

where  k  is  a  security  parameter  (e.g.  k  —  64,  it  is  not  considered  feasible  to  search  for  264messages 
given  the  current  state  of  art).  To  open  the  commitment  R  has  to  send  r  as  well  as  i,  so  that  S  can 
check  if  the  commitment  was  valid. 

For  a  practical  case,  consider  when  the  physical  layer  of  802.1 1  is  set  to  direct  sequence  spread 
spectrum  (DSSS).  In  DSSS  mode  the  minimum  contention  window  size  is  32  time  slots,  therefore 
m  —  log2  CWmin  —  5,  that  is,  r'  and  r  are  only  5  bits  long  which  is  an  insignificant  quantity  to  be 
appended  to  a  DATA  frame.  The  acknowledgement  frame  would  incur  with  a  reasonable  extra 
k  +  m  =  69  bits.  If  we  use  SHA-1  to  implement  the  hash  function  of  the  commitment  then  we 
obtain  a  message  digest  of  160  bits.  The  RTS  frame  would  be  doubled  in  size  if  we  use  the  full 
message  digest,  however  320  bits  would  still  be  insignificant  to  a  normal  DATA  frame  which  can 
be  up  to  2312  bytes,  therefore  the  use  reservation  by  exchanging  RTS/CTS  would  still  be  more 
effective  than  the  basic  access  mode  of  802.1 1  DCF  (no  RTS/CTS  exchange).  If  doubling  the  size 
of  a  RTS  frame  is  a  concern,  the  output  of  SHA-1  can  always  be  truncated  for  example  to  80  bits. 
The  security  reduction  of  the  message  digest  has  to  be  evaluated  under  the  birthday  paradox:  if  the 
message  digest  has  h  bits,  then  it  would  take  only  about  2/!/2  messages  (out  of  2k+m+k'wnce),  chosen 
at  random,  before  one  would  find  two  (inputs)  with  the  same  value  (message  digest).  Considering 
the  normal  timeout  between  frames  to  be  300/./.V,  we  can  safely  assume  240  computations  cannot  be 
done  in  this  time. 


Finally  the  nonce  parameter  should  discourage  offline  attacks.  If  knonce  =  0,  an  attacker  could 
attempt  to  find  collisions  offline  and  then  open  a  false  commitment.  There  is  a  tradeoff  then 
between  the  length  of  the  message  digest  used  for  the  commitment  and  the  security  parameter 
knonce •  The  longer  the  message  digest,  the  less  likely  there  is  an  offline  attack. 

If  we  remove  the  nonce  from  the  protocol  we  can  make  the  sender  use  more  transmission  power 
than  the  receiver  with  the  following  protocol: 


S 

f  {0,  1 , .  .  .  ,  CWmin  —  1 } 

RTS\\a 

a  =  Commit(r)  - > 

CTS\\r' 

< - 

ZMrA||Open(a) 

- > 

,  ACK 

bi  =  n  ©  it  < - 


R 


/  ^{0,1,..., CWmin -1} 
Commit(r)  =  a 
bi  =  ri®r'i 


in  this  case,  the  receiver  will  only  be  required  to  append  an  extra  five  bits  to  the  CTS  frame. 
A  data  frame  would  be  appended  b  and  r  which  sum  up  to  only  69  bits,  which  is  still  very  small 
compared  to  the  payload.  So  our  only  major  modification  to  802.11  in  terms  of  communication 
bandwidth  used  is  the  payload  of  the  message  digest  o. 

To  finalize  this  section  we  just  point  out  that  once  a  sender  and  a  receiver  have  agreed  on  a  given 
random  backoff  the  receiver  can  monitor  the  behavior  of  the  sender  and  report  a  misbehaving  node 
to  the  reputation  management  system.  To  detect  if  the  sender  deviated  from  the  agreed  backoff, 
we  can  use  the  detection  algorithm  given  in  [10],  in  particular  we  note  that  if  the  sender  sensed 
the  channel  to  be  idle  it  would  count  down  its  backoff  timer,  however  the  receiver  can  sense  the 
channel  to  be  busy  (channel  reserved  by  a  hidden  node  to  the  sender)  and  under  normal  operation 
it  would  not  count  down  its  timer.  In  order  to  avoid  false  positives  created  by  the  hidden  terminal 
unit,  the  receiver  will  always  decrement  the  counter  that  monitors  the  sender.  It  is  also  mentioned 
in  [10]  how  to  handle  the  detection  during  packet  retransmissions,  i.e.  when  the  sender  collides  and 
has  to  choose  by  itself  another  backoff  value  from  the  set  (0,1,...,  (CWm/„  +  1  )2l~  1  —  1}  (where 
i  is  the  number  of  retransmissions  and  it  keeps  increasing  until  the  size  of  the  contention  window 
reaches  CWmax). 

5  Detection  System 

The  previous  algorithm  is  not  resistant  to  colluding  nodes  selecting  small  backoff  values  with  the 
intention  of  maximizing  their  throughput,  at  the  expense  of  throughput  degradation  for  neighboring 
nodes.  Similarly,  colluding  nodes  can  agree  on  sharing  large  backoff  times,  causing  large  delays 
in  their  transmissions  so  that  they  are  rejected  from  inclusion  in  routing  layer  paths.  In  the  rest  of 
this  section  we  will  focus  only  on  detecting  colluding  nodes  with  the  intention  of  selecting  small 
backoff  values.  Detecting  large  backoff  times  can  be  done  in  the  similarly. 

When  the  sender  and  the  receiver  collude  by  selecting  their  random  numbers  for  the  contention 
window  a  priori,  they  can  deny  access  to  the  network.  For  example,  consider  figure  3  and  assume  C 
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Figure  3:  Nodes  M  and  D  collude  to  and  interfere  in  the  communication  path  of  nodes  B  and  C 

is  within  wireless  range  of  nodes  D  and  M  (it  is  a  reasonable  assumption  that  in  wireless  networks 
there  will  always  be  nodes  that  are  neighbors  of  both  colluding  nodes:  D  and  M).  Without  loss 
of  generality,  assume  C  monitors  the  access  times  of  node  M.  Note  that  C  can  compute  exactly 
the  backoff  time  by  listening  to  the  exchanged  values  n.  a,  r' .  o'  (between  M  and  D)  and  then  com¬ 
puting  the  backoff  bi  —  r,-  ©  r\.  If  the  sender  deviates  from  this  backoff  then  node  C  can  detect  a 
misbehaving  sender  in  the  same  way  a  honest  D  would  detect  a  misbehavior  of  M.  However  if 
nodes  D  and  M  collude,  they  can  select  a  priori  their  numbers.  For  example  they  can  collude  to 
present  to  node  C  a  valid  message  agreement  on  the  backoff  zero  by  selecting  the  following  values: 


M 

n  <—  {0, 


b  =  00000 


D 

RTS\  \n 

- > 

CTS\\a 

-  a  =  Commit(00000||n) 

ZMrA||00000 

- >  o/  =  Open(a) 

ACK\\& 


b  =  00000 


At  the  end,  the  sender  will  not  wait  for  any  time  slot  in  the  backoff  period  and  will  send 
immediately  its  last  DIFS  ends.  In  Figure  4  we  show  how  the  sequence  of  small  backoffs  0,1,2,... 
from  node  M  will  cause  the  timer  for  the  CT S  frame  of  node  A  to  time  out.  Node  A  will  therefore 
backoff  exponentially  repeatedly,  making  it  less  likely  to  access  the  network.  We  implemented 
this  setting  in  the  network  simulator  Opnet,  and  allowed  the  colluding  nodes  to  transmit  with  the 
smallest  backoff  in  a  period  of  time.  In  figure  5  it  is  shown  how  the  colluding  nodes  denied  access 
to  the  network  to  node  A  during  that  period. 

Having  motivated  the  need  to  detect  colluding  MAC  layer  misbehavior  in  ad  hoc  networks,  in 
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Figure  4:  Nodes  M  and  D  collude  and  select  a  very  small  backoff,  thereby  denying  access  to  node 
A  by  causing  CTS  timeouts. 
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Figure  5:  Simulation  of  traffic  sent  by  node  M  (top  figure)  versus  traffic  sent  by  node  A  (bottom 
figure).  When  D  and  M  collude  A  is  denied  access  to  the  network. 


the  rest  of  this  section  we  focus  on  designing  algorithms  such  that  neighboring  nodes  can  detect 
when  other  nodes  do  not  follow  a  uniformly  random  backoff  time.  Although  our  emphasis  is  on 
ad  hoc  networks,  the  same  algorithms  can  be  applied  to  other  settings,  for  example  to  monitor 
greedy  behavior  at  access  points  in  WLANs  using  the  original  802. 1 1  protocol  (802. 1 1  without  the 
modifications  introduced  in  the  previous  section). 

5.1  Test  for  backoff  manipulation 

A  misbehaving  host  that  knows  there  are  neighboring  nodes  monitoring  its  backoff  period  will 
try  to  avoid  detection  while  maintaining  a  high  throughput.  It  is  difficult  however  to  come  up 
with  a  strategy  that  the  misbehaving  nodes  will  use  to  access  the  channel  more  frequently.  If  we 
assume  for  example  that  the  misbehaving  nodes  will  select  their  backoff  uniformly  random  from 
the  set  (0,1,...  ,CWmjn/ 4}  and  monitor  the  access  times  for  no  occurrences  above  CWmin/ 4,  then 
an  adaptive  misbehaving  node  will  override  our  detection  mechanism  by  selecting  a  value  above 
CWmin/ 4  before  our  test  makes  a  decision.  Selecting  the  time  at  which  to  wait  for  a  backoff  larger 
than  CWmin/ 4  assumes  the  colluding  nodes  know  perfectly  well  our  assumptions  about  the  attack 
and  the  parameters  used  for  its  detection.  Giving  the  misbehaving  nodes  the  capability  to  know 
our  assumptions  on  the  attack  allow  us  to  consider  detection  schemes  which  do  not  assume  that 
misbehaving  nodes  will  be  systematically  fooled.  In  general,  we  assume  that  the  colluding  nodes 
are  intelligent  (they  know  everything  each  monitoring  node  knows  about  the  detection  scheme), 
and  that  they  can  make  inferences  about  the  situation  in  the  same  way  as  the  monitoring  nodes  can. 

In  general,  the  more  inaccurate  assumptions  we  make  about  the  attack,  the  less  effective  our 
detection  algorithm  is.  In  particular  we  do  not  know  a  priori  the  probability  distribution  that  the 
colluding  nodes  will  use  in  order  to  access  the  channel. 

The  first  intuitive  assumption  to  make  about  the  strategy  of  the  colluding  nodes  is  that  it  will 
let  one  of  them  access  the  channel  in  a  way  that  the  mean  access  should  decrease  from  the  minimal 
mean  backoff  Bmin  :=  (CWmm  —  l)/2,  i.e.  on  average  the  selfish  node  will  attempt  to  access  the 
channel  more  frequently  than  any  other  contending  node.  In  order  to  penalize  also  nodes  that  do 
not  double  their  contention  window  every  time  they  collide,  we  could  test  for  a  decrease  from  a 
nominal  backoff  Bnom  (where  Bnom  >  Bmin)  representing  our  long  term  average  backoff.  Note  that 
each  monitoring  node  has  to  estimate  Bnom  online.  The  selection  of  testing  either  a  decrease  in 
Bmin  or  Bnom  will  depend  on  the  risk  assessment  of  the  threat  provided  by  the  misbehaving  nodes. 
Without  loss  of  generality  and  in  order  to  be  conservative  with  our  detection  mechanism  we  select 
to  test  for  deviations  from  Bmin. 

Before  presenting  the  statistical  tests,  let  us  introduce  some  notation.  Let  A,  denote  the  ith 
backoff  time  for  a  given  monitored  node.  After  measuring  n  backoff  times  for  node  M,  we  end  up 
with  the  sequence  X\.  -  ■■  ,Xn.  We  assume  we  make  a  decision  after  n  observations. 

5.1.1  Tests  for  change  in  the  mean 

Using  this  sequence  of  data,  in  DOMINO  [13]  a  detection  mechanism  is  proposed  for  testing  a 
deviation  from  the  reference  backoff.  The  algorithm  first  computes  an  average  Xac  =  Y/,=  \  Xi/n,  of 
the  observations  taken  over  a  given  unit  of  time  (e.g.  10s)  and  then,  the  averaged  value  is  compared 
to  the  reference  backoff : 

Xac  A  yBmin 

the  parameter  y  (0  <  y  <  1)  controls  the  rate  for  false  alarms.  An  optional  parameter  K  will 
only  flag  a  false  alarm  after  the  statistic  Xac  has  exceeded  yBmin  K  times.  They  tested  the  detection 


scheme  against  a  misbehaving  node  whose  strategy  was  to  select  backoff  values  uniformly  random 
from  the  set  {0, 1, ,  \CWm-m  x  8J },  where  8  (0  <  8  <  1)  represents  the  amount  of  misbehavior, 
with  8  =  0  meaning  that  the  station  transmits  without  backoff  and  with  8=1  meaning  no  mis¬ 
behavior.  The  results  show  that  when  the  misbehaving  node  increases  its  throughput  three  times 
more  the  normal  value,  then  the  detection  mechanism  will  always  catch  him  while  maintaining  a 
false  alarm  rate  below  0. 1 . 

This  algorithm  in  DOMINO  however  is  not  optimal  for  more  intelligent  strategies  of  the  mis¬ 
behaving  nodes.  A  misbehaving  node  in  802. 1 1  (or  a  pair  of  colluding  nodes  in  ERA-802. 11)  will 
avoid  detection  and  still  achieve  access  to  the  channel  more  than  half  of  the  contending  trials  by 
selecting  the  following  backoff  scheme: 

For  the  first  (K  —  1  )n  backoffs,  select  a  backoff  of  zero  (this  exploits  the  fact  that  an  alarm  is 
never  raised  until  the  mean  statistic  has  exceeded  j Bmjn  K  times.)  Then  alternate  between  a  backoff 
of  zero  and  the  backoff  2yBllun . 

This  strategy  will  ensure  that  an  alarm  is  never  raised  for  the  misbehaving  nodes,  while  still 
providing  access  to  the  channel  more  than  half  of  the  times  no  matter  how  many  other  contending 
neighbors  there  are.  Since  in  an  ad  hoc  network  there  might  be  several  nodes  monitoring  the 
misbehaving  backoff  strategy,  each  with  different  values  of  K  (different  times  of  arrivals  to  the 
neighborhood),  a  safe  strategy  is  just  to  alternate  between  0  and  2yR„„„,  a  strategy  which  still  gives 
access  to  the  channel  to  the  misbehaving  nodes  more  than  half  of  the  times. 

This  same  fate  is  shared  with  several  nonparametric  tests  measuring  how  “shifted”  in  the  X 
axis  is  the  alternative  distribution  from  the  null  distribution  (which  is  assumed  to  be  symmetric  at 
zero).  If  we  define  the  independent  and  identically  distributed  (i.i.d.)  random  process:  Y\.....Yn 
by:  Yi  =  —  Xj  we  can  use  a  Sign  Test  or  a  Wilcoxon  Test  [9]. 

5.1.2  Entropy  Estimation 

Clearly  if  we  could  test  how  random  the  backoff  mechanism  of  the  misbehaving  node  is,  we  would 
make  the  evasion  of  detection  more  difficult.  However  applying  empirical  statistical  tests  to  ran¬ 
dom  number  generators  is  a  highly  heuristic  affair.  Furthermore  an  adversary  can  still  cheat  several 
of  the  tests,  such  as  cumulative  sums,  frequency  counts  and  tests  based  on  random  walks,  while  still 
accessing  the  channel  much  more  often  than  honest  participants.  We  therefore  turn  our  attention  to 
the  entropy  of  the  backoff  process,  as  one  of  the  more  used  measures  of  randomness.  Note  however 
that  we  do  not  need  to  measure  the  entropy  of  the  backoff  values  observed  versus  the  entropy  of 
a  uniform  random  variable  with  range  (0,1,... , CWmin  —  1}.  Doing  this  would  cause  much  more 
false  alarms  due  to  the  large  parameter  space  for  estimation  (estimating  more  parameters  means 
our  observations  before  making  a  decision  would  increase  dramatically).  Therefore  we  partition 
the  backoff  range  into  M  bins,  where  2  <  M  <  CWm\n  so  that  the  estimation  of  the  probabilities 
in  each  bin  is  more  efficient  for  small  sample  sizes,  while  limiting  the  attacker  strategies.  As  a 
statistical  test,  we  measure  the  empirical  entropy  of  the  M  bins  (which  ideally  should  be  close  to 
—  logo  jf)  with  a  threshold  given  by  a  fixed  false  alarm  rate. 

In  order  to  evaluated  the  performance  of  the  entropy  statistic,  we  compare  it  to  the  detection  ac¬ 
curacy  of  DOMINO,  and  a  Wilcoxon  nonparametric  rank  test.  The  strategy  of  the  selfish  user  is  to 
fool  the  detection  scheme  by  alternating  backoff  values  between  0  and  a,  for  a  =  0, ... ,  CWm\n  —  1. 
a  therefore  is  a  measure  of  evasion  by  the  misbehaving  node  where  a  =  0  means  the  node  transmits 
without  any  backoff,  and  a  =  CWmin  —  1  means  the  node  alternates  between  transmitting  without 
any  backoff  and  backing  off  for  CWmjn.  The  parameters  of  the  simulation  were  104  samples,  n  =  20, 
CWmin  =  32  and  the  number  of  bins  to  evaluate  the  entropy  was  M  =  8.  Figure  5  shows  how  the 
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Figure  6:  Entropy  Test  Limits  the  Strategy  Space  of  the  Misbehaving  Nodes 


Figure  7 :  Due  to  asymmetrical  network  topology,  node  B  cannot  guarantee  fair  access  to  it  among 
nodes  A  and  S 

entropy  test  can  easily  detect  the  selfishness  while  the  Wilcoxon  test  misses  the  strategy  when 
a  >  Bmin/2  and  DOMINO  when  a  >  jBmm  •  This  result  should  not  be  a  surprise,  as  the  entropy  of 
the  selfish  behavior  in  this  case  is  just  2.  Note  that  in  the  case  of  8  bins,  the  optimal  strategy  for 
the  misbehaving  node  is  to  select  the  smallest  backoff  within  each  interval:  0,3,7,11,15,19,23,27. 
Furthermore  if  the  selfish  node  knows  the  false  alarm  rate,  then  it  can  do  better  by  selecting  just 
the  first  values:  0,3,7,11,15,19  (when  we  are  only  tolerating  up  to  an  entropy  of  log26). 

5.2  Test  for  Unfair  Use 

If  we  want  to  be  conservative  in  the  detection  of  misbehavior,  after  we  obtain  an  alarm  from  the 
backoff  manipulation  algorithm,  we  can  correlate  the  identity  of  the  accused  node,  with  the  actual 
throughput  difference  among  contending  nodes.  However,  the  actual  throughput  depend  on  many 
variables  that  are  beyond  the  reach  of  the  monitoring  node.  It  depends  on  the  traffic  pattern  of 
the  network  (other  nodes  might  not  have  anything  to  send),  and  the  network  topology:  figure  7. 


Since  802. 11  ’s  MAC  layer  has  been  shown  to  be  unfair  at  short  and  long  term  use,  for  arbitrary 
topologies  in  ad  hoc  networks  [14],  we  do  not  attempt  to  test  for  fairness  but  rather  we  test  for  the 
amount  of  unfairness  that  we  will  be  able  to  accept.  This  test  is  just  to  ensure  that  if  the  backoff 
manipulation  test  detects  a  misbehaving  node,  it  is  indeed  making  an  unfair  use  of  the  network 
by  diminishing  the  throughput  experienced  by  neighboring  nodes.  In  this  setting  we  assume  the 
monitoring  nodes  are  contending  to  access  the  same  receiver.\ 

In  this  model  we  assume  the  selfish  user  will  only  permit  access  to  the  medium  to  its  N  neigh¬ 
bors  with  only  £  probability.  Alternatively  it  can  be  seen  as  the  amount  of  unfairness  we  allow. 

On  the  other  hand,  a  fair  protocol  would  allow  access  to  the  medium  proportional  to  the  other 
nodes  (when  the  nodes  are  in  saturation  condition).  Therefore  if  we  let  Lr  be  the  number  of  times 
we  observe  any  node  other  than  node  A  accessing  the  medium  and  L&  the  number  of  times  A 
accesses  the  medium,  a  simple  likelihood  ratio  test  to  inform  if  A  is  being  overly  unfair  or  closer 
to  a  complete  fair  protocol  is  the  following: 

.  (1  -£)^£L«  ^ 

We  stress  out  again  that  this  test  should  not  be  used  alone  given  the  characteristic  unfairness  of 
802.1 1,  but  rather  as  a  way  to  complement  backoff  manipulation  detection  algorithms. 

6  Conclusions  and  Future  Work 

Misbehavior  at  the  MAC  layer  by  changing  the  backoff  mechanism  can  lead  to  performance  degra¬ 
dation  and  even  denial  of  service  attacks  in  ad  hoc  networks.  In  this  paper  we  have  presented 
ERA-802.11  in  order  to  help  in  the  detection  of  non-colluding  selfish  nodes.  However,  even  when 
neighboring  nodes  know  the  backoff  time  agreed  by  a  misbehaving  node,  the  network  topology 
and  hidden  nodes  can  severely  degrade  the  correct  detection  of  the  node.  We  plan  to  investigate 
in  the  future  how  an  implementation  of  ERA- 802. 11  performs  with  respect  to  the  number  of  hid¬ 
den  nodes  in  the  neighborhood.  We  also  plan  to  investigate  if  the  small  overhead  included  in  the 
reservation  packets  influences  the  throughput. 

When  we  have  colluding  nodes  the  problem  of  detecting  backoff  manipulation  at  the  MAC 
layer  becomes  very  difficult.  Not  only  are  we  required  to  take  several  samples  in  order  to  come  up 
with  an  accurate  decision,  but  the  hidden  node  problem,  the  exponential  backoff  due  to  the  capture 
effect,  and  the  different  topologies  influence  our  decision.  In  future  work  we  will  focus  on  a  more 
rigorous  treatment  of  the  detection  problem  and  show  under  the  consideration  of  parameters  such 
as  network  topology,  the  difficulty  or  feasibility  of  the  problem. 

Finally,  we  assumed  in  this  paper  that  there  was  a  reputation  algorithm  receiving  our  detection 
results. There  is  still  the  open  question  of  how  to  react  when  we  detect  a  misbehaving  node.  How 
bad  is  the  performance  degradation  for  the  rest  of  the  network?  What  is  the  best  punishment 
strategy?  It  is  our  view  that  the  reputation  mechanism  should  have  a  layered  security  mechanism 
in  order  to  provide  an  educated  decision  on  how  to  react  to  MAC  layer  misbehavior. 
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